X-Git-Url: https://asedeno.scripts.mit.edu/gitweb/?a=blobdiff_plain;f=sshccp.c;h=0b3dc5737c1babe3e4640a42329ef03e8939b356;hb=af1460d6e5044a3344aaacd15c91cfdcb58578e7;hp=71fde427e058d7c4d1bb3499c79a0f657d7255cb;hpb=e28b35b0a39de28fa2f71aa78071d1ad62deaceb;p=PuTTY.git diff --git a/sshccp.c b/sshccp.c index 71fde427..0b3dc573 100644 --- a/sshccp.c +++ b/sshccp.c @@ -215,7 +215,23 @@ static void bigval_export_le(const bigval *r, void *vdata, int len) */ static void bigval_add(bigval *r, const bigval *a, const bigval *b) { -#if BIGNUM_INT_BITS == 32 +#if BIGNUM_INT_BITS == 64 + /* ./contrib/make1305.py add 64 */ + BignumDblInt acclo; + acclo = 0; + acclo += a->w[0]; + acclo += b->w[0]; + r->w[0] = acclo; + acclo >>= 64; + acclo += a->w[1]; + acclo += b->w[1]; + r->w[1] = acclo; + acclo >>= 64; + acclo += a->w[2]; + acclo += b->w[2]; + r->w[2] = acclo; + acclo >>= 64; +#elif BIGNUM_INT_BITS == 32 /* ./contrib/make1305.py add 32 */ BignumDblInt acclo; acclo = 0; @@ -290,7 +306,84 @@ static void bigval_add(bigval *r, const bigval *a, const bigval *b) */ static void bigval_mul_mod_p(bigval *r, const bigval *a, const bigval *b) { -#if BIGNUM_INT_BITS == 32 +#if BIGNUM_INT_BITS == 64 + /* ./contrib/make1305.py mul 64 */ + BignumDblInt tmp; + BignumDblInt acclo; + BignumDblInt acchi; + BignumDblInt acc2lo; + acclo = 0; + acchi = 0; + tmp = (BignumDblInt)(a->w[0]) * (b->w[0]); + acclo += tmp & BIGNUM_INT_MASK; + acchi += tmp >> 64; + r->w[0] = acclo; + acclo = acchi + (acclo >> 64); + acchi = 0; + tmp = (BignumDblInt)(a->w[0]) * (b->w[1]); + acclo += tmp & BIGNUM_INT_MASK; + acchi += tmp >> 64; + tmp = (BignumDblInt)(a->w[1]) * (b->w[0]); + acclo += tmp & BIGNUM_INT_MASK; + acchi += tmp >> 64; + r->w[1] = acclo; + acclo = acchi + (acclo >> 64); + acchi = 0; + tmp = (BignumDblInt)(a->w[0]) * (b->w[2]); + acclo += tmp & BIGNUM_INT_MASK; + acchi += tmp >> 64; + tmp = (BignumDblInt)(a->w[1]) * (b->w[1]); + acclo += tmp & BIGNUM_INT_MASK; + acchi += tmp >> 64; + tmp = (BignumDblInt)(a->w[2]) * (b->w[0]); + acclo += tmp & BIGNUM_INT_MASK; + acchi += tmp >> 64; + r->w[2] = acclo & (((BignumInt)1 << 2)-1); + acc2lo = 0; + acc2lo += ((acclo >> 2) & (((BignumInt)1 << 62)-1)) * ((BignumDblInt)5 << 0); + acclo = acchi + (acclo >> 64); + acchi = 0; + tmp = (BignumDblInt)(a->w[1]) * (b->w[2]); + acclo += tmp & BIGNUM_INT_MASK; + acchi += tmp >> 64; + tmp = (BignumDblInt)(a->w[2]) * (b->w[1]); + acclo += tmp & BIGNUM_INT_MASK; + acchi += tmp >> 64; + acc2lo += (acclo & (((BignumInt)1 << 2)-1)) * ((BignumDblInt)5 << 62); + acc2lo += r->w[0]; + r->w[0] = acc2lo; + acc2lo >>= 64; + acc2lo += ((acclo >> 2) & (((BignumInt)1 << 62)-1)) * ((BignumDblInt)5 << 0); + acclo = acchi + (acclo >> 64); + acchi = 0; + tmp = (BignumDblInt)(a->w[2]) * (b->w[2]); + acclo += tmp & BIGNUM_INT_MASK; + acchi += tmp >> 64; + acc2lo += (acclo & (((BignumInt)1 << 2)-1)) * ((BignumDblInt)5 << 62); + acc2lo += r->w[1]; + r->w[1] = acc2lo; + acc2lo >>= 64; + acc2lo += ((acclo >> 2) & (((BignumInt)1 << 2)-1)) * ((BignumDblInt)5 << 0); + acc2lo += r->w[2]; + r->w[2] = acc2lo; + acc2lo = 0; + acc2lo += ((acclo >> 4) & (((BignumInt)1 << 60)-1)) * ((BignumDblInt)25 << 0); + acclo = acchi + (acclo >> 64); + acchi = 0; + acc2lo += (acclo & (((BignumInt)1 << 4)-1)) * ((BignumDblInt)25 << 60); + acc2lo += r->w[0]; + r->w[0] = acc2lo; + acc2lo >>= 64; + acc2lo += ((acclo >> 4) & (((BignumInt)1 << 60)-1)) * ((BignumDblInt)25 << 0); + acclo = acchi + (acclo >> 64); + acchi = 0; + acc2lo += r->w[1]; + r->w[1] = acc2lo; + acc2lo >>= 64; + acc2lo += r->w[2]; + r->w[2] = acc2lo; + acc2lo >>= 64; +#elif BIGNUM_INT_BITS == 32 /* ./contrib/make1305.py mul 32 */ BignumDblInt tmp; BignumDblInt acclo; @@ -819,7 +912,28 @@ static void bigval_mul_mod_p(bigval *r, const bigval *a, const bigval *b) static void bigval_final_reduce(bigval *n) { -#if BIGNUM_INT_BITS == 32 +#if BIGNUM_INT_BITS == 64 + /* ./contrib/make1305.py final_reduce 64 */ + BignumDblInt acclo; + acclo = 0; + acclo += 5 * ((n->w[2] >> 2) + 1); + acclo += n->w[0]; + acclo >>= 64; + acclo += n->w[1]; + acclo >>= 64; + acclo += n->w[2]; + acclo = 5 * (acclo >> 2); + acclo += n->w[0]; + n->w[0] = acclo; + acclo >>= 64; + acclo += n->w[1]; + n->w[1] = acclo; + acclo >>= 64; + acclo += n->w[2]; + n->w[2] = acclo; + acclo >>= 64; + n->w[2] &= (1 << 2) - 1; +#elif BIGNUM_INT_BITS == 32 /* ./contrib/make1305.py final_reduce 32 */ BignumDblInt acclo; acclo = 0; @@ -1124,7 +1238,7 @@ static const struct ssh_mac ssh2_poly1305 = { poly_start, poly_bytes, poly_genresult, poly_verresult, "", "", /* Not selectable individually, just part of ChaCha20-Poly1305 */ - 16, "Poly1305" + 16, 0, "Poly1305" }; static void *ccp_make_context(void) @@ -1176,7 +1290,11 @@ static void ccp_length_op(struct ccp_context *ctx, unsigned char *blk, int len, unsigned long seq) { unsigned char iv[8]; - PUT_32BIT_LSB_FIRST(iv, seq >> 32); + /* + * According to RFC 4253 (section 6.4), the packet sequence number wraps + * at 2^32, so its 32 high-order bits will always be zero. + */ + PUT_32BIT_LSB_FIRST(iv, 0); PUT_32BIT_LSB_FIRST(iv + 4, seq); chacha20_iv(&ctx->a_cipher, iv); chacha20_iv(&ctx->b_cipher, iv); @@ -1213,7 +1331,7 @@ static const struct ssh2_cipher ssh2_chacha20_poly1305 = { ccp_decrypt_length, "chacha20-poly1305@openssh.com", - 1, 512, SSH_CIPHER_SEPARATE_LENGTH, "ChaCha20", + 1, 512, 64, SSH_CIPHER_SEPARATE_LENGTH, "ChaCha20", &ssh2_poly1305 };